-
Notifications
You must be signed in to change notification settings - Fork 1
27 lines (22 loc) · 1.05 KB
/
security.workflows.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Security hardening (Github Actions workflows)
on:
workflow_call:
jobs:
# CI harden security tries to keep your github actions secure by following these simple rules:
# - Check if no issues are found on your Github Action
# - Ensure that all action and reusable workflow are pinned using directly a commit SHA
ci_harden_security:
name: Github Action security hardening
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
- name: Lint your Github Actions
run: |
curl -O https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json
echo "::add-matcher::actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint -color
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6ca5574367befbc9efdb2fa25978084159c5902d # tag=v1.3.0